What is an Allowlist?

Permitting Specific Domains Through Your DNS Filter

An allowlist is a list of domains explicitly permitted to bypass DNS filtering rules. Allowlists ensure that critical services, trusted websites, and approved resources are never blocked — even when broad category filters are enabled.

Set Up DNS Filtering

Step 1: What is an Allowlist?

An allowlist (also called a whitelist) is a list of domains that are explicitly permitted through a DNS filter, regardless of which content categories are blocked.

When a domain is on the allowlist, the DNS resolver will always return the correct IP address for it — even if the domain falls into a category that would normally be blocked. This ensures that essential services remain accessible.

Allowlists work alongside blocklists to give administrators precise control over what is and isn't accessible on their network.

Step 2: How Allowlists Work in DNS Filtering

When a DNS query arrives at the resolver, the allowlist is checked before any blocking rules:

  • Priority check: The resolver first checks if the queried domain is on the allowlist — if it is, the query is resolved normally regardless of other rules
  • Category override: A domain in a blocked category (e.g., social media) can be accessed if it's explicitly allowlisted
  • Subdomain handling: Allowlisting a domain typically covers all its subdomains unless configured otherwise
  • Per-profile control: Different filter profiles can have different allowlists for different user groups

Step 3: When to Use Allowlists

Common scenarios for allowlisting domains:

  • False positives: A legitimate site incorrectly categorized as harmful — allowlisting ensures uninterrupted access while the categorization is reviewed
  • Business-critical services: SaaS tools, payment processors, or internal systems that must never be blocked
  • Educational resources: Schools may block social media but allowlist specific educational accounts or tools
  • Testing and development: Developers may need access to domains that fall into restricted categories

For maximum security, some organizations use a whitelist-only mode where everything is blocked by default and only explicitly approved domains are accessible.

Step 4: Allowlists in CleanBrowsing

CleanBrowsing's paid plans let you manage allowlists through the dashboard or API. You can add individual domains or use wildcard patterns to permit entire groups of subdomains.

On the authoritative DNS side, NOC.org manages the DNS records that determine where domains point — while CleanBrowsing's recursive resolver controls which of those domains your users can actually reach.

Take control of your DNS filtering

Set Up CleanBrowsing